Edit report at http://bugs.php.net/bug.php?id=36355&edit=1
ID: 36355 Comment by: ailton at aramorais dot com dot br Reported by: jnavratil at houston dot rr dot com Summary: OCIEnvNlsCreate() failed. Status: Bogus Type: Bug Package: OCI8 related Operating System: Fedora Core 4.2 PHP Version: 6CVS-2006-02-10 (snap) New Comment: The solution is configure envars the apache. path: /usr/local/apache2/bin/envvars: View example: ORACLE_HOME=/usr/lib/oracle/10.1.0.3/client;export ORACLE_HOME NLS_LANG=AMERICAN;export NLS_LANG LD_LIBRARY_PATH=/usr/lib/oracle/10.1.0.3/client/lib;export LD_LIBRARY_PATH LD_LIBRARY_PATH="/usr/local/apache2/lib:$LD_LIBRARY_PATH" export LD_LIBRARY_PATH Previous Comments: ------------------------------------------------------------------------ [2006-02-10 21:28:02] tony2...@php.net >It didn't seem to be necessary with PHP5.0.4 and 10g Release 2. Yes, it's funny and everybody is laughing. Because _it is_ necessary for all versions of OCI libraries, except for the Instant Client. >You said that "OCI8 extension itself doesn't require any >variables, access privileges etc.". ext/oci8 - PHP extension. OCI - Oracle Call Interface libraries. See the difference? >Something that doesn't permit >the execution of dbshut, for example. JFYI: to run dbshut you need to do `su - oracle` first. >I need to provide access to for the "world", don't I? No? And even if you would need it, what secrets are you trying to hide in your tnsnames.ora, huh? >But if you have Oracle Client installed you really don't > need instant client, do you? Except for security reasons. Well, _now_ it's funny. I thought you were so worried exactly because of security reasons. And now you're saying you don't need it. But why do I care? ------------------------------------------------------------------------ [2006-02-10 20:58:14] jnavratil at houston dot rr dot com > It doesn't matter what I think about it, this > is *required* by oracle client libraries. Funny. It didn't seem to be necessary with PHP5.0.4 and 10g Release 2. But what do I know? > Why do you tell me this? Just to piss you off! Maybe a couple of deep breaths next time. > If you know how to avoid it (and still provide a way > for OCI to read tnsnames.ora and other files) - > tell it to Oracle people. But wait! You said that "OCI8 extension itself doesn't require any variables, access privileges etc.". Are you telling me that you need access to tsnames.ora or other resources? If so, please elaborate and perhaps a more limited relaxation of security can be arranged. Something that doesn't permit the execution of dbshut, for example. > Also I think it would be worth to read about unix > privileges. You don't have to grant to the user both > execute and read privileges in the same time. Really? I wonder why I didn't know that :P However, I still need to know what I need to provide access to for the "world", don't I? >Wrong. It doesn't matter whether the server is local or not. Of course! But if you have Oracle Client installed you really don't need instant client, do you? Except for security reasons. >>I don't know but now will have to learn it to find out. >Yes, do it please. And when you know everything we will all sing your praises, Hallelujah! >Please direct your complaints to Oracle, it has nothing >to do with PHP or ext/oci8. Nothing, indeed! But I believe I have beat my head against this enough for the time being. ------------------------------------------------------------------------ [2006-02-10 20:05:45] tony2...@php.net >Do you really think that apache should be a member of >the oracle group to run php5_module with OCI8? It doesn't matter what I think about it, this is *required* by oracle client libraries. >A friend, who has been a consultant with Oracle for the > last 10 years doesn't consider it kosher. Why do you tell me this? If you know how to avoid it (and still provide a way for OCI to read tnsnames.ora and other files) - tell it to Oracle people. > My client for whom I am developing a PHP/Oracle > application doesn't particularly like the idea of a PHP > script being able execute any Oracle binary it likes. Tell your client about open_basedir directive. Also I think it would be worth to read about unix privileges. You don't have to grant to the user both execute and read privileges in the same time. >Instant client is designed for accessing remote database servers. Wrong. It doesn't matter whether the server is local or not. >I don't know but now will have to learn it to find out. Yes, do it please. >Clearly OCI8 as currently written is pretty useless for a >production environment, at least if Oracle and Apache are >on the same server. Please direct your complaints to Oracle, it has nothing to do with PHP or ext/oci8. ------------------------------------------------------------------------ [2006-02-10 19:46:44] jnavratil at houston dot rr dot com Do you really think that apache should be a member of the oracle group to run php5_module with OCI8? A friend, who has been a consultant with Oracle for the last 10 years doesn't consider it kosher. My client for whom I am developing a PHP/Oracle application doesn't particularly like the idea of a PHP script being able execute any Oracle binary it likes. Instant client is designed for accessing remote database servers. It may be the only way to provide the security needed. I don't know but now will have to learn it to find out. Clearly OCI8 as currently written is pretty useless for a production environment, at least if Oracle and Apache are on the same server. ------------------------------------------------------------------------ [2006-02-10 18:21:13] tony2...@php.net OCI8 extension itself doesn't require any variables, access privileges etc. Those requirements are set by oracle client libraries, so there is nothing we can do about it. And personally I don't consider giving read permissions to apache user as dangerous. But you can use Oracle Instant Client that doesn't require nor ORACLE_HOME (or any other variables) to be set, neither read privileges for any oracle directories. See details here: http://www.oracle.com/technology/tech/oci/instantclient/instantclient.html No PHP bug -> bogus. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=36355 -- Edit this bug report at http://bugs.php.net/bug.php?id=36355&edit=1
